blob: e33e5cb2a82069ed81d729a9869955902a45687f [file] [log] [blame]
// Copyright (C) 2009 The Android Open Source Project
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package com.google.gerrit.auth.ldap;
import static com.google.gerrit.server.account.externalids.ExternalId.SCHEME_GERRIT;
import com.google.common.base.Strings;
import com.google.common.cache.CacheLoader;
import com.google.common.cache.LoadingCache;
import com.google.common.flogger.FluentLogger;
import com.google.gerrit.common.Nullable;
import com.google.gerrit.common.data.ParameterizedString;
import com.google.gerrit.entities.Account;
import com.google.gerrit.entities.AccountGroup;
import com.google.gerrit.entities.GroupReference;
import com.google.gerrit.extensions.client.AccountFieldName;
import com.google.gerrit.extensions.client.AuthType;
import com.google.gerrit.server.account.AbstractRealm;
import com.google.gerrit.server.account.AccountException;
import com.google.gerrit.server.account.AuthRequest;
import com.google.gerrit.server.account.EmailExpander;
import com.google.gerrit.server.account.GroupBackends;
import com.google.gerrit.server.account.externalids.ExternalId;
import com.google.gerrit.server.account.externalids.ExternalIdKeyFactory;
import com.google.gerrit.server.account.externalids.ExternalIds;
import com.google.gerrit.server.auth.AuthenticationUnavailableException;
import com.google.gerrit.server.auth.NoSuchUserException;
import com.google.gerrit.server.config.AuthConfig;
import com.google.gerrit.server.config.GerritServerConfig;
import com.google.gerrit.server.logging.Metadata;
import com.google.gerrit.server.logging.TraceContext;
import com.google.gerrit.server.logging.TraceContext.TraceTimer;
import com.google.inject.Inject;
import com.google.inject.Singleton;
import com.google.inject.name.Named;
import java.io.IOException;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.ExecutionException;
import javax.naming.CompositeName;
import javax.naming.Name;
import javax.naming.NamingException;
import javax.naming.directory.DirContext;
import javax.security.auth.login.LoginException;
import org.eclipse.jgit.lib.Config;
@Singleton
class LdapRealm extends AbstractRealm {
private static final FluentLogger logger = FluentLogger.forEnclosingClass();
static final String LDAP = "com.sun.jndi.ldap.LdapCtxFactory";
static final String USERNAME = "username";
private final Helper helper;
private final AuthConfig authConfig;
private final EmailExpander emailExpander;
private final LoadingCache<String, Optional<Account.Id>> usernameCache;
private final Set<AccountFieldName> readOnlyAccountFields;
private final boolean fetchMemberOfEagerly;
private final String mandatoryGroup;
private final LdapGroupBackend groupBackend;
private final Config config;
private final LoadingCache<String, Set<AccountGroup.UUID>> membershipCache;
@Inject
LdapRealm(
Helper helper,
AuthConfig authConfig,
EmailExpander emailExpander,
LdapGroupBackend groupBackend,
@Named(LdapModule.GROUP_CACHE) LoadingCache<String, Set<AccountGroup.UUID>> membershipCache,
@Named(LdapModule.USERNAME_CACHE) LoadingCache<String, Optional<Account.Id>> usernameCache,
@GerritServerConfig Config config) {
this.helper = helper;
this.authConfig = authConfig;
this.emailExpander = emailExpander;
this.groupBackend = groupBackend;
this.usernameCache = usernameCache;
this.membershipCache = membershipCache;
this.config = config;
this.readOnlyAccountFields = new HashSet<>();
if (optdef(config, "accountFullName", "DEFAULT") != null) {
readOnlyAccountFields.add(AccountFieldName.FULL_NAME);
}
if (optdef(config, "accountSshUserName", "DEFAULT") != null) {
readOnlyAccountFields.add(AccountFieldName.USER_NAME);
}
if (!authConfig.isAllowRegisterNewEmail()) {
readOnlyAccountFields.add(AccountFieldName.REGISTER_NEW_EMAIL);
}
fetchMemberOfEagerly = optional(config, "fetchMemberOfEagerly", true);
mandatoryGroup = optional(config, "mandatoryGroup");
}
static SearchScope scope(Config c, String setting) {
return c.getEnum("ldap", null, setting, SearchScope.SUBTREE);
}
static String optional(Config config, String name) {
return config.getString("ldap", null, name);
}
static int optional(Config config, String name, int defaultValue) {
return config.getInt("ldap", name, defaultValue);
}
static String optional(Config config, String name, String defaultValue) {
final String v = optional(config, name);
if (Strings.isNullOrEmpty(v)) {
return defaultValue;
}
return v;
}
static boolean optional(Config config, String name, boolean defaultValue) {
return config.getBoolean("ldap", name, defaultValue);
}
static String required(Config config, String name) {
final String v = optional(config, name);
if (v == null || "".equals(v)) {
throw new IllegalArgumentException("No ldap." + name + " configured");
}
return v;
}
static List<String> optionalList(Config config, String name) {
String[] s = config.getStringList("ldap", null, name);
return Arrays.asList(s);
}
static List<String> requiredList(Config config, String name) {
List<String> vlist = optionalList(config, name);
if (vlist.isEmpty()) {
throw new IllegalArgumentException("No ldap " + name + " configured");
}
return vlist;
}
@Nullable
static String optdef(Config c, String n, String d) {
final String[] v = c.getStringList("ldap", null, n);
if (v == null || v.length == 0) {
return d;
} else if (v[0] == null || "".equals(v[0])) {
return null;
} else {
checkBackendCompliance(n, v[0], Strings.isNullOrEmpty(d));
return v[0];
}
}
static String reqdef(Config c, String n, String d) {
final String v = optdef(c, n, d);
if (v == null) {
throw new IllegalArgumentException("No ldap." + n + " configured");
}
return v;
}
@Nullable
static ParameterizedString paramString(Config c, String n, String d) {
String expression = optdef(c, n, d);
if (expression == null) {
return null;
} else if (expression.contains("${")) {
return new ParameterizedString(expression);
} else {
return new ParameterizedString("${" + expression + "}");
}
}
private static void checkBackendCompliance(
String configOption, String suppliedValue, boolean disabledByBackend) {
if (disabledByBackend && !Strings.isNullOrEmpty(suppliedValue)) {
String msg = String.format("LDAP backend doesn't support: ldap.%s", configOption);
logger.atSevere().log("%s", msg);
throw new IllegalArgumentException(msg);
}
}
@Override
public boolean allowsEdit(AccountFieldName field) {
return !readOnlyAccountFields.contains(field);
}
@Nullable
static String apply(ParameterizedString p, LdapQuery.Result m) throws NamingException {
if (p == null) {
return null;
}
final Map<String, String> values = new HashMap<>();
for (String name : m.attributes()) {
values.put(name, m.get(name));
}
String r = p.replace(values).trim();
return r.isEmpty() ? null : r;
}
@Override
public AuthRequest authenticate(AuthRequest who) throws AccountException {
if (config.getBoolean("ldap", "localUsernameToLowerCase", false)) {
who.setLocalUser(who.getLocalUser().toLowerCase(Locale.US));
}
final String username = who.getLocalUser();
try {
final DirContext ctx;
if (authConfig.getAuthType() == AuthType.LDAP_BIND) {
ctx = helper.authenticate(username, who.getPassword());
} else {
ctx = helper.open();
}
try {
final Helper.LdapSchema schema = helper.getSchema(ctx);
LdapQuery.Result m;
who.setAuthProvidesAccountActiveStatus(true);
m = helper.findAccount(schema, ctx, username, fetchMemberOfEagerly);
who.setActive(true);
if (authConfig.getAuthType() == AuthType.LDAP && !who.isSkipAuthentication()) {
// We found the user account, but we need to verify
// the password matches it before we can continue.
//
helper.close(helper.authenticate(m.getDN(), who.getPassword()));
}
who.setDisplayName(apply(schema.accountFullName, m));
who.setUserName(apply(schema.accountSshUserName, m));
if (schema.accountEmailAddress != null) {
who.setEmailAddress(apply(schema.accountEmailAddress, m));
} else if (emailExpander.canExpand(username)) {
// If LDAP cannot give us a valid email address for this user
// try expanding it through the older email expander code which
// assumes a user name within a domain.
//
who.setEmailAddress(emailExpander.expand(username));
}
// Fill the cache with the user's current groups. We've already
// spent the cost to open the LDAP connection, we might as well
// do one more call to get their group membership. Since we are
// in the middle of authenticating the user, its likely we will
// need to know what access rights they have soon.
//
if (fetchMemberOfEagerly || mandatoryGroup != null) {
Set<AccountGroup.UUID> groups = helper.queryForGroups(ctx, username, m);
if (mandatoryGroup != null) {
GroupReference mandatoryGroupRef =
GroupBackends.findExactSuggestion(groupBackend, mandatoryGroup);
if (mandatoryGroupRef == null) {
throw new AccountException("Could not identify mandatory group: " + mandatoryGroup);
}
if (!groups.contains(mandatoryGroupRef.getUUID())) {
throw new AccountException(
"Not member of mandatory LDAP group: " + mandatoryGroupRef.getName());
}
}
// Regardless if we enabled fetchMemberOfEagerly, we already have the
// groups and it would be a waste not to cache them.
membershipCache.put(username, groups);
}
return who;
} finally {
helper.close(ctx);
}
} catch (IOException | NamingException e) {
logger.atSevere().withCause(e).log("Cannot query LDAP to authenticate user");
throw new AuthenticationUnavailableException("Cannot query LDAP for account", e);
} catch (LoginException e) {
logger.atSevere().withCause(e).log("Cannot authenticate server via JAAS");
throw new AuthenticationUnavailableException("Cannot query LDAP for account", e);
}
}
@Override
public void onCreateAccount(AuthRequest who, Account account) {
usernameCache.put(who.getLocalUser(), Optional.of(account.id()));
}
@Nullable
@Override
public Account.Id lookup(String accountName) {
if (Strings.isNullOrEmpty(accountName)) {
return null;
}
try {
Optional<Account.Id> id = usernameCache.get(accountName);
return id != null ? id.orElse(null) : null;
} catch (ExecutionException e) {
logger.atWarning().withCause(e).log("Cannot lookup account %s in LDAP", accountName);
return null;
}
}
@Override
public boolean isActive(String username)
throws LoginException, NamingException, AccountException, IOException {
final DirContext ctx = helper.open();
try {
Helper.LdapSchema schema = helper.getSchema(ctx);
@SuppressWarnings("unused")
var unused = helper.findAccount(schema, ctx, username, false);
return true;
} catch (NoSuchUserException e) {
return false;
} finally {
helper.close(ctx);
}
}
@Override
public boolean accountBelongsToRealm(Collection<ExternalId> externalIds) {
for (ExternalId id : externalIds) {
if (id.isScheme(SCHEME_GERRIT)) {
return true;
}
}
return false;
}
static class UserLoader extends CacheLoader<String, Optional<Account.Id>> {
private final ExternalIds externalIds;
private final ExternalIdKeyFactory externalIdKeyFactory;
@Inject
UserLoader(ExternalIds externalIds, ExternalIdKeyFactory externalIdKeyFactory) {
this.externalIds = externalIds;
this.externalIdKeyFactory = externalIdKeyFactory;
}
@Override
public Optional<Account.Id> load(String username) throws Exception {
try (TraceTimer timer =
TraceContext.newTimer(
"Loading account for username", Metadata.builder().username(username).build())) {
return externalIds
.get(externalIdKeyFactory.create(SCHEME_GERRIT, username))
.map(ExternalId::accountId);
}
}
}
static class MemberLoader extends CacheLoader<String, Set<AccountGroup.UUID>> {
private final Helper helper;
@Inject
MemberLoader(Helper helper) {
this.helper = helper;
}
@Override
public Set<AccountGroup.UUID> load(String username) throws Exception {
try (TraceTimer timer =
TraceContext.newTimer(
"Loading group for member with username",
Metadata.builder().username(username).build())) {
final DirContext ctx = helper.open();
try {
return helper.queryForGroups(ctx, username, null);
} finally {
helper.close(ctx);
}
}
}
}
static class ExistenceLoader extends CacheLoader<String, Boolean> {
private final Helper helper;
@Inject
ExistenceLoader(Helper helper) {
this.helper = helper;
}
@Override
public Boolean load(String groupDn) throws Exception {
try (TraceTimer timer =
TraceContext.newTimer(
"Loading groupDn", Metadata.builder().authDomainName(groupDn).build())) {
final DirContext ctx = helper.open();
try {
Name compositeGroupName = new CompositeName().add(groupDn);
try {
ctx.getAttributes(compositeGroupName);
return true;
} catch (NamingException e) {
return false;
}
} finally {
helper.close(ctx);
}
}
}
}
}